Professional Documents
Culture Documents
LISTS
Search Leads
PROCESS OVERVIEW
OBTAINING & IMAGING FORENSIC DATA FORENSIC REQUEST PREPARATION / EXTRACTION
1 2 3
Comments/Notes/Messages
IDENTIFICATION
ANALYSIS
FORENSIC REPORTING
CASELEVEL ANALYSIS
Generally this involves opening a case file in the tool of choice and importing forensic Use this section as image file. This could also include recreating needed. a network environment or database to mimic the original environment. Sample Note: Please notify case agent Sample Data Search Leads: when forensic data Identify and extract all email and deleted preparation is items. completed. Search media for evidence of child pornography. Configure and load seized database for data mining. Recover all deleted files and index drive for review by case agent/forensic examiner.
Extracted Data
Prepared / Extracted Data Comments/Notes/Messages Prepared / Extracted Data List is a list of Use this section as needed. items that are prepared or extracted to allow identification of Data pertaining to the Sample Message: forensic request. Numerous files located in c:\movies directory Sample Prepared / Extracted Data items: have .avi extensions but are actually Excel Processed hard drive image using Encase spreadsheets. or FTK to allow a case agent to triage the contents. Exported registry files and installed registry viewer to allow a forensic examiner to examine registry entries. A seized database files is loaded on a database server ready for data mining.
PREPARATION / EXTRACTION
IDENTIFICATION
ANALYSIS
Start Is there Unprocessed data in the Prepared/Extracted Data List? Yes What type of item is it. Document this item and all relevant meta data and attributes on Relevant Data List.
3
No
No
No
Yes. Setup and validate forensic hardware and software; create system configuration as needed. Integrity not OK
Where
Where was it found? Where did it come from? Does it show where relevant events took place?
Duplicate and verify integrity of Forensic Data? Integrity OK Organize / Refine forensic request and select forensic tools.
If item can generate new Data Search Leads, document new leads to Data Search Lead List.
When
When was it created, accessed, modified, received, sent, viewed, deleted, and launched? Does it show when relevant events took place? Time Analysis: What else happened on the system at same time? Were registry keys modified?
If item or discovered information can generate new Data Search Leads, document new leads to Data Search Lead List.
If the forensic request is finding information relating credit card fraud, any credit card number, image of credit card, emails discussing making credit card, web cache that shows the date, time and search term used to find credit card number program, Etc are Relevant Data as evidence. In addition, Victim information retrieved is also Relevant Data for purpose of victim notification.
How Data NOT relevant to forensic request Stop! Notify appropriate personnel; wait for instruction If item or discovered information can generate New Source of Data, document new lead on New Source of Data Lead List. If New Source of Data Lead generated, Start OBTAINING & IMAGING FORENSIC DATA.
How did it originate on the media? How was it created, transmitted, modified and used? Does it show how relevant events occurred?
Extract data requested Add Extracted data to Prepared /Extracted Data List.
Other Connections
Do the above artifacts and metadata suggest links to any other items or events? What other correlating or corroborating information is there about the item? What did the user do with the item?
If item or discovered information can generate New Source of Data, document new lead on New Source of Data Lead List.
If New Source of Data Lead generated, Start OBTAINING & IMAGING FORENSIC DATA.
Analysis Results
Analysis Results Analysis Result List is a list of meaningful data that answers the who, what, when, where and how questions in satisfying the forensic request. Comments/Notes/Messages Use this section as needed Sample Notes: 1. 10.dat, message5.eml and stegano.exe show that John Doe used steganography tool to hides a ten dollar image in 10.dat at 11:03 PM 01/05/ 03 and emailed it to Jane Doe at 11:10 PM 01/05/03.
Identify any other information that is relevant to the forensic request. Use timeline and/or other methods to document findings on Analysis Results List.
No Start IDENTIFICATION. Mark item processed on Prepared/Extracted Data List. If there is data for analysis, Start ANALYSIS
Return On Investment
(Determine when to stop this process. Typically, after enough evidence is obtained for prosecution, the value of additional forensic analysis diminishes.)
1/4/03
1/5/03
01000100010011110100101000100000010000110100001101001001010100000101001100100000010011110111011001101001011001010010000001000011011000010111001001110010011011110110110001101100001000000110000101101110011001000010000001010100011010000110111101101101011000010111001100100000010100110110111101101110011001110010000001000100010011110100101000100000010000110100001101001001010100000101001100100000
Department of Justice (DOJ) Computer Crime and intellectual Property Section (CCIPS) Cybercrime Lab http://www.cybercrime.gov (202) 514-1026